Secret.get does has the Secret's contents in plaintext in the statefile #2300
Labels
impact/security
kind/bug
Some behavior is incorrect or out of spec
resolution/fixed
This issue was fixed
What happened?
If you look at the resource in the statefile, its
data
will be (encoded) in plaintext underoutputs.__inputs.data
. This is a security concern! Not only is it unencrypted in state, but it will sometimes show as a diff inpulumi up --diff --refresh
Expected Behavior
As a general rule, I expect that if an
outputs.xxx
value is encrypted, its correspondingoutputs.__inputs.xxx
value should be encrypted tooSteps to reproduce
Secret.get("mysecret", "default/mysecret")
pulumi stack export > state.json
outputs.__inputs.data
is unencrypted (thoughoutputs.data
is properly encrypted)Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: